CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
Microsoft is aware of a critical security vulnerability, identified as CVE-2023-36884, affecting Windows and Office products.
This vulnerability allows remote code execution and has been actively exploited by threat actor Storm-0978, also known as DEV-0978, in their latest phishing campaign during June 2023, targeting defense and government entities in Europe and North America.
Exploitation of this vulnerability has also been detected in the latest software release.
The vulnerability could be leveraged by an attacker to execute arbitrary code on a victim’s system. However, successful exploitation requires convincing the victim to open a specially crafted Microsoft Office document. This is achieved by phishing campaigns utilizing social engineering techniques to lure the victim into opening the weaponized documents.
While the flaw is not yet addressed, Microsoft claims it will provide customers with patches via the monthly release process or an out-of-band security update.
- The following are the suggested mitigations:
Customers using Microsoft Defender for Office are already protected against attachments attempting to exploit this vulnerability. - Employing the “Block all Office applications from creating child processes” Attack Surface Reduction Rule in current attack chains can prevent exploitation.
- Organizations unable to utilize the above protections can mitigate the risk by setting the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key. Include the following application names as values of type REG_DWORD with data 1:
-Excel.exe
-Graph.exe
-MSAccess.exe
-MSPub.exe
-PowerPoint.exe
-Visio.exe
-WinProj.exe
-WinWord.exe
-Wordpad.exe
The SOC teams of OBRELA remain vigilant and are closely monitoring clients’ infrastructure regarding potential exploitation attempts and IoCs.
References: